eb8ad44c2c18bb08bbd9d1fc38f6944c5ef9d63fc76df36c183a1a149a606148

Analysis

max time kernel
120s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb8ad44c2c18bb08bbd9d1fc38f6944c5ef9d63fc76df36c183a1a149a606148.exe
Size

2.6MB
MD5

938e2312498fc24e10d5a50e523429f3
SHA1

d6515457bd993d56e39a99a8b636348dc6f8eaf4
SHA256

eb8ad44c2c18bb08bbd9d1fc38f6944c5ef9d63fc76df36c183a1a149a606148
SHA512

0c2e9588c7d99d15199f72c1941d6b76b34c16d6018bfbaa8eba2d1c27f23059042e70415fe25cf91ece20452f18d0a161b01f07bd554e8bc2a4d99477b9f4d6
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBxB/bSqW:sxX7QnxrloE5dpUpubVW

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe	eb8ad44c2c18bb08bbd9d1fc38f6944c5ef9d63fc76df36c183a1a149a606148.exe

Executes dropped EXE 2 IoCs

pid	Process
4256	ecabod.exe
1924	abodsys.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvFQ\\abodsys.exe"	eb8ad44c2c18bb08bbd9d1fc38f6944c5ef9d63fc76df36c183a1a149a606148.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintW5\\optixsys.exe"	eb8ad44c2c18bb08bbd9d1fc38f6944c5ef9d63fc76df36c183a1a149a606148.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb8ad44c2c18bb08bbd9d1fc38f6944c5ef9d63fc76df36c183a1a149a606148.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1224	eb8ad44c2c18bb08bbd9d1fc38f6944c5ef9d63fc76df36c183a1a149a606148.exe
1224	eb8ad44c2c18bb08bbd9d1fc38f6944c5ef9d63fc76df36c183a1a149a606148.exe
1224	eb8ad44c2c18bb08bbd9d1fc38f6944c5ef9d63fc76df36c183a1a149a606148.exe
1224	eb8ad44c2c18bb08bbd9d1fc38f6944c5ef9d63fc76df36c183a1a149a606148.exe
4256	ecabod.exe
4256	ecabod.exe
1924	abodsys.exe
1924	abodsys.exe
4256	ecabod.exe
4256	ecabod.exe
1924	abodsys.exe
1924	abodsys.exe
4256	ecabod.exe
4256	ecabod.exe
1924	abodsys.exe
1924	abodsys.exe
4256	ecabod.exe
4256	ecabod.exe
1924	abodsys.exe
1924	abodsys.exe
4256	ecabod.exe
4256	ecabod.exe
1924	abodsys.exe
1924	abodsys.exe
4256	ecabod.exe
4256	ecabod.exe
1924	abodsys.exe
1924	abodsys.exe
4256	ecabod.exe
4256	ecabod.exe
1924	abodsys.exe
1924	abodsys.exe
4256	ecabod.exe
4256	ecabod.exe
1924	abodsys.exe
1924	abodsys.exe
4256	ecabod.exe
4256	ecabod.exe
1924	abodsys.exe
1924	abodsys.exe
4256	ecabod.exe
4256	ecabod.exe
1924	abodsys.exe
1924	abodsys.exe
4256	ecabod.exe
4256	ecabod.exe
1924	abodsys.exe
1924	abodsys.exe
4256	ecabod.exe
4256	ecabod.exe
1924	abodsys.exe
1924	abodsys.exe
4256	ecabod.exe
4256	ecabod.exe
1924	abodsys.exe
1924	abodsys.exe
4256	ecabod.exe
4256	ecabod.exe
1924	abodsys.exe
1924	abodsys.exe
4256	ecabod.exe
4256	ecabod.exe
1924	abodsys.exe
1924	abodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 4256	1224	eb8ad44c2c18bb08bbd9d1fc38f6944c5ef9d63fc76df36c183a1a149a606148.exe	86
PID 1224 wrote to memory of 4256	1224	eb8ad44c2c18bb08bbd9d1fc38f6944c5ef9d63fc76df36c183a1a149a606148.exe	86
PID 1224 wrote to memory of 4256	1224	eb8ad44c2c18bb08bbd9d1fc38f6944c5ef9d63fc76df36c183a1a149a606148.exe	86
PID 1224 wrote to memory of 1924	1224	eb8ad44c2c18bb08bbd9d1fc38f6944c5ef9d63fc76df36c183a1a149a606148.exe	89
PID 1224 wrote to memory of 1924	1224	eb8ad44c2c18bb08bbd9d1fc38f6944c5ef9d63fc76df36c183a1a149a606148.exe	89
PID 1224 wrote to memory of 1924	1224	eb8ad44c2c18bb08bbd9d1fc38f6944c5ef9d63fc76df36c183a1a149a606148.exe	89

C:\Users\Admin\AppData\Local\Temp\eb8ad44c2c18bb08bbd9d1fc38f6944c5ef9d63fc76df36c183a1a149a606148.exe
"C:\Users\Admin\AppData\Local\Temp\eb8ad44c2c18bb08bbd9d1fc38f6944c5ef9d63fc76df36c183a1a149a606148.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4256
- C:\SysDrvFQ\abodsys.exe
  C:\SysDrvFQ\abodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintW5\optixsys.exe

Filesize
2.6MB

MD5
59f49efc6d4ae42753917768621a0711

SHA1
20f8743bfed5382006da005b51c0a82df5c2b136

SHA256
3f5464b0c10af218875ebbc61385d88f1dc33cab3210dbef8deff75c4951b7a1

SHA512
c8cd74054c75b7f7af249d454ad3cae7fd020e2f9de45d3a80dcb916b451f71e8ff38b8f62b4ba98b3565f3abf430ff313799ef535dd8ab721ada2c981dcc966

Download Submit
C:\MintW5\optixsys.exe

Filesize
2.6MB

MD5
be2c87e250b7ae5dea7b22d141672228

SHA1
d76914d997515740902db5ee10a98728a936e1aa

SHA256
cf05463acda4869d0180cb21334bcb2f5f52775a5be3985883fdec8d777ff307

SHA512
3cea47c2b8321f22ea224a2f29914a57afbf7fd547fc223f89cef5836cc0a754d8f944c015a8871700e5e2870ead8f44e233f38efafda507ea11bae69b51e660

Download Submit
C:\SysDrvFQ\abodsys.exe

Filesize
2.6MB

MD5
7d317f87e3f85292be23bc81de0aabac

SHA1
da34455892eff60368a5b2c0430fc296e3eaabfc

SHA256
c0c09d5e428b910b07732efd241ae058e563980ed7e0e07012490564535405c3

SHA512
314eda94298b4dd8a8648dcf7b0c4b5bcf2649318ae2ca168a297a3815f18dda8dc3592effcec95e1f0033bc7353e156e964481040de86cb834e6d444a46e2aa

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
899ff24f87fa49240c7ec4776f0dbe43

SHA1
ef3676c452e7133a5b93e3d4ea021882e8d61b71

SHA256
6756027e78cbc343a98c70a1ff29eb2121bd68e4c98ec3c8b99c7230de540358

SHA512
cb9c6a589dfd21628a2bcf51770e1132d6d37339c6846dfe749d60d632dda80a82d1d0ffd988a220319a56f7f7cf0e2a5dfc6a0063c5ce5d991e7184544b8e97

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
f34b5482af5f79fcc8e5d62f9cc479fe

SHA1
2a0ccf5f68e2753b4817cdb68327da435a852eea

SHA256
e9846ae1db26c8b133f61a0345f2762e3f598f84ab4d07756729ab30588578b8

SHA512
60d5aa538c5fa68cfa674397b4344e802c7d92bb594b01c99d8fefa21cd2caf50f9cdd0e6f5dbba0d8cd57ddc6179042f6034b40cdbf8a46e1aca2659426f0a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

Filesize
2.6MB

MD5
f485e3366531f88d6b29ebc0e42be6f8

SHA1
cdc111de3ccbafaf01dfeb91800a1f17bded4cad

SHA256
02bb6402827f38b4dad589d34f34069556971cd11bd92cdbcce7f71c4cafb71f

SHA512
6a721bbe091b6a80766452e444edba3f074d1dab99ab1cf8d18412fc2e338651931d508695dea295d54e6c565a119727d1b46eb8e5c8d08ef0c25f32abca87b9

Download Submit